[email protected] said:
>
> This seems like a useful near-term approach, but also probably something that
> might want to migrate to DANE over time.
sure, tho it's going to take a while (eg before browsers hard-fail on
assurances sourced via Secure DNS). See..
[dane] A browser's myopic view
https://www.ietf.org/mail-archive/web/dane/current/msg02354.html
> Is there any particular reason you're using key fingerprints instead of cert
> fingerprints? It seems like the latter might be slightly easier to
> implement, since you don't have to parse the cert.
I assume it's because the certificates public keys are embedded within, in
practice, can change without the key pairs themselves changing.
The rationale ought to of course be noted in the spec.
=JeffH
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
